Individual GitHub Repository Access

July 2nd, 2017

I’ve been working on a project for Jekyll/GitHub Pages. I need to be able to programmatically clone specific repositories to my server. Ideally, I could get source code read access to individual (specifically GitHub Page) repositories. While getting broad access is straightforward, figuring out how to restrict access to specific repos a bit harder.

Ad-hoc Access

My first approach was ad-hoc. It’s a personal project, so I don’t mind a bit of setup/configuration. My initial thought using deploy keys and webhooks. However, different repos cannot have identical deploy keys for security reasons. While I only have my own blog right now, ideally the solution doesn’t involve managing dozens of private keys.

OAuth App

The next possibility is oauth and personal access tokens. Provided your token includes the repo scope, you can use the tokens to clone repos. The downside is that this scope is expansive. It grants read access to any repository I have access to. Fine for hobbyists, but definitely not OK for larger organizations.

GitHub App

The final answer is building a GitHub App. Unlike OAuth apps, GitHub App are auth’d to users or organizations and you can grant access to specific repositories. Setup is a bit trickier, but just like OAuth access tokens, you can use GitHub App tokens for cloning repos too.

While I’ll eventually go down the GitHub App path, I’d much rather build a working prototype first, so for now, I’m just going to use the OAuth flow. It should be interesting, as Sentry will simultaneously be moving its integration to a GitHub app as well, for the exact same reasons.